CN108229172A - Astride hierarchy data flow method for tracing based on windows platforms - Google Patents
Astride hierarchy data flow method for tracing based on windows platforms Download PDFInfo
- Publication number
- CN108229172A CN108229172A CN201810148627.XA CN201810148627A CN108229172A CN 108229172 A CN108229172 A CN 108229172A CN 201810148627 A CN201810148627 A CN 201810148627A CN 108229172 A CN108229172 A CN 108229172A
- Authority
- CN
- China
- Prior art keywords
- data
- monitored
- program
- user space
- analyzed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention relates to a kind of astride hierarchy data flow method for tracing based on windows platforms, and the API information for carrying out data exchange is used between windows operating system nucleus state and User space including obtaining;Program to be analyzed is run, performs the instruction of program to be analyzed;Process in traversing operation system obtains the process consistent with program process title to be analyzed, labeled as monitoring process;Generated data markers when performing monitoring process are monitored data for User space;During the routine call API to be analyzed, if corresponding input parameter is monitored data for the User space, the kernel data mapped after input is monitored data labeled as kernel state;The data that are monitored to User space and kernel state be monitored data carry out data flow follow-up analysis, so as to judge whether program to be analyzed has malicious act.The present invention can analyze while have user mode codes and a rogue program of kernel state code, can completely the processing procedure of monitoring data in a program, accuracy are high.
Description
Technical field
The present invention relates to technical field of network security more particularly to a kind of astride hierarchy data flows based on windows platforms
Method for tracing.
Background technology
Windows systems are the operating system of current main-stream, due to the complexity of software and the deficiency of the sense of security of users,
Malicious code using Floor layer Technology or the software with vicious function are largely propagated, caused by destroy getting worse.It is main at present
It to be analyzed using data flow method for tracing for these softwares, but traditional data flow is usually just in individual user
State or individual kernel state, it is difficult to track the information transmitted across User space and kernel state tracking.Windows systems include interior
Two core state, User space levels, existing windows platform dataflow analysis method be typically based on PinGrind, TEMU, Panda,
The platforms such as DECAF carry out data flow tracking using windows platform tainting analytical technology.Wherein, tainting analysis skill
Art generally includes two methods:Method 1. uses debugger, is attached in program, extracts and analyze data flow, method 2. is built
Virtual machine analyzes data flow by monitoring physical memory.
PinGrind platforms carry out data-flow analysis using method 1, and only user mode codes are monitored, specifically,
User's layer analysis data flow, is attached to using debugger on target process, and each binary code that monitoring programme performs refers to
It enables, the operation content of analysis instruction carries out the data-flow analysis of the specific methods such as tainting to it.The data flow point of client layer
The instruction of more complete monitoring process execution is capable of in analysis, but the analysis method is lost the original language of inner nuclear layer behavior program
Justice also has ignored the analysis to client layer and inner nuclear layer communication interface, thus the data based on debugger analysis striding course flow through
Cheng Shifen is difficult.
The platforms such as TEMU, PANDA, DECAF carry out data-flow analysis using method 2, to User space and kernel state without
It distinguishes, the data mixing got brings interference together, to post analysis.It is specifically, monitoring objective setting position is entirely empty
The physical memory of plan machine does not differentiate between the communication process between User space program and kernel state program, it is carried out based on this method
Data flow is tracked, and data volume is big and analysis difficulty.
It follows that Windows system data flow follow-up analysis method includes at least following shortcoming at present:
(1) analysis method based on virtual machine is used, effective monitoring and user mode codes and kernel state code can not be distinguished
Between information exchange and the data flow process in different levels;
(2) using based on the additional dataflow analysis method of debugger, can not effective analysis kernel state Program Semantics, together
Sample also has ignored the data exchanged between two levels.
However, malicious code performs the execution body of body and kernel state comprising User space simultaneously in many cases existing,
Therebetween information is mutually transmitted, therefore, existing data flow method for tracing is difficult realization that is accurate, stablizing to such malice generation
The Analysis on Mechanism of code, therefore how to realize that the astride hierarchy data flow tracking based on windows platforms becomes technology urgently to be resolved hurrily
Problem.
Invention content
The technical problems to be solved by the invention are, provide a kind of astride hierarchy data flow based on windows platforms and chase after
Track method virtualizes analysis environments, monitoring data Fabric Interface and instruction by structure, realizes the gamut of cross-layer data exchange
Monitoring and differentiation.
In order to solve the above technical problem, the present invention provides a kind of astride hierarchy data flows based on windows platforms to chase after
Track method, it is described to include the following steps:
It obtains and the API information for carrying out data exchange is used between windows operating system nucleus state and User space;
Program to be analyzed is run, performs the instruction of the program to be analyzed;
Traverse the process in the windows operating systems, obtain it is consistent with the program process title to be analyzed into
Journey, labeled as monitoring process;
Generated data markers are monitored data for User space when will perform the monitoring process;
It is used between kernel state and User space described in the routine call to be analyzed during the API for carrying out data exchange,
If corresponding input parameter is monitored data for the User space, the User space is monitored after data input in mapping
Nuclear Data is monitored data labeled as kernel state;
The data that are monitored to the User space and kernel state be monitored data carry out data flow follow-up analysis, so as to judge
State whether program to be analyzed has malicious act.
Further, it is used to carry out data exchange between the acquisition windows operating system nucleus state and User space
API information includes the following steps:
The virtual machine image of windows operating systems is installed;
Kernel executable program and driver are obtained according to the virtual machine image of the windows operating systems;
It is obtained according to the kernel executable program and driver and is used to carry out data friendship between User space and kernel state
The API information changed.
Further, include between the kernel state and User space for carrying out the API information of data exchange:The kernel
It is used to carry out call address, input parameter, output parameter and the return value of the API of data exchange between state and User space.
Further, the operation program to be analyzed, the instruction for performing the program to be analyzed include the following steps:
Start the virtual machine image of the windows operating systems using hardware simulator;
Program to be analyzed is run in the windows operating systems;
CPU performs the instruction of the program to be analyzed.
Further, the process in the windows operating systems includes performing the instruction generation of the program to be analyzed
Process record the process and perform other programs in addition to the program to be analyzed in the windows operating systems
The process record the process that is generated of instruction.
Further, it is described to be monitored data to the User space and the kernel state data that are monitored carry out data flow tracking point
Analysis includes the following steps:
The User space is obtained to be monitored the stain related datas of data;
The kernel state is obtained to be monitored the stain related datas of data;
The stain related data of data that is monitored to the User space and the kernel state are monitored the stains of data
Related data carries out data flow follow-up analysis.
Further, the stain related data for the data that are monitored using tainting analysis method to the User space
The stain related data progress data flow follow-up analysis for the data that are monitored with the kernel state.
Further, the method further includes, if the User space is monitored the stain related data of data and/or
The be monitored stain related data network AP I that is called of data of the kernel state is sent to remote address, then judge described in treat point
Analysis program has malicious act.
Further, the method further includes, and sets to record in the Protozoic code layer of the windows operating systems
The data structure of monitored data.
Further, the User space data that are monitored include:The program execution reading registration table to be analyzed, reading are clear
Look at device cookie information, read system configuration, read application program chat data, one kind into network address transmission data or
The corresponding returned data of operation.
According to another aspect of the invention, a kind of controller is provided, including memory and processor, the memory storage
There is the step of computer program, described program can realize the method when being performed by the processor.
According to another aspect of the invention, a kind of computer readable storage medium is provided, it is described for storing computer instruction
The step of instruction realizes the method when being performed by a computer or processor.
The present invention has clear advantage and advantageous effect compared with prior art.By above-mentioned technical proposal, the present invention
A kind of astride hierarchy data flow method for tracing based on windows platforms can reach comparable technological progress and practicability, and have
There is the extensive utility value in industry, at least there are following advantages:
The present invention can monitor User space, kernel state and carry out cross-layer number by the API between family state and kernel state
According to communication process, thus it can analyze while there are user mode codes and the rogue program of kernel state code, can completely supervise
The processing procedure of data in a program is controlled, there is higher accuracy and better analysis ability.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow the above and other objects, features and advantages of the present invention can
It is clearer and more comprehensible, special below to lift preferred embodiment, and coordinate attached drawing, detailed description are as follows.
Description of the drawings
Fig. 1 provides the astride hierarchy data flow method for tracing schematic diagram based on windows platforms for one embodiment of the invention.
Specific embodiment
The technological means and effect taken further to illustrate the present invention to reach predetermined goal of the invention, below in conjunction with
Attached drawing and preferred embodiment, to a kind of astride hierarchy data flow method for tracing based on windows platforms proposed according to the present invention
Specific embodiment and its effect, be described in detail as after.
The embodiment of the present invention provides a kind of astride hierarchy data flow method for tracing based on windows platforms, as shown in Figure 1,
It is described to include the following steps:
Step S1, the API for being used to carry out data exchange between windows operating system nucleus state and User space is obtained
(Application Program Interface application programming interfaces) information;
Step S1 includes the following steps:
Step S11, the virtual machine image of windows operating systems is installed;
Step S12, kernel executable program and driving journey are obtained according to the virtual machine image of the windows operating systems
Sequence;
As an example, kernel executable program is including ntoskrnl.exe, win32k.sys etc..
Step S13, obtained according to the kernel executable program and driver be used between User space and kernel state into
The API information of row data exchange.
It is used to carry out data friendship between User space and kernel state as an example, kernel executable program and driver obtain
The API changed is including DeviceIoControl, NtReadFile, NtWriteFile etc..
Wherein, include between the kernel state and User space for carrying out the API information of data exchange:The kernel state and
It is used to carry out call address, input parameter, output parameter and the return value of the API of data exchange between User space.
When being called between User space and kernel state for carrying out the API of data exchange, if incoming parameter is to be supervised
The data flow of control, then the content that the parameter is mapped to kernel or user's space is also labeled as monitored data, after progress
Continuous data flow trace analysis.
Step S2, program to be analyzed is run, performs the instruction of the program to be analyzed;
Step S2 includes the following steps:
Step S21, start the virtual machine image of the windows operating systems using hardware simulator;
Specifically, configuration mirroring path obtains the windows operating system mirror images position of actual motion;Configuration is hard
Emulated memory size, system start-up time and the type for simulating CPU of part simulator.After the initialization for completing virtual memory, firmly
Part simulator loads above-mentioned windows operating systems mirror image, and starts windows operating systems.
As a kind of example, hardware simulator can be Qemu, including process monitoring module, instruction monitoring module, system
Monitoring module etc. is called, for carrying out process monitoring, instruction monitoring and System-call Monitoring etc..
Step S22, program to be analyzed is run in the windows operating systems;
Step S23, CPU performs the instruction of the program to be analyzed.
Step S3, the process in the windows operating systems is traversed, is obtained and the program process title one to be analyzed
The process of cause, labeled as monitoring process;
Wherein, the process in the windows operating systems include performing the instruction generation of the program to be analyzed into
Journey record the process and the finger for performing other programs in addition to the program to be analyzed in the windows operating systems
Enable generated process record the process.
Each process in Windows kernels by an EPROCESS block (EPROCESS represents a kind of data structure) Lai
It represents, not only contains the information such as the PID (identity), load address, process title of process in EPROCESS blocks, further include
Multiple pointers for being directed toward other dependency structure data structures.In practical implementation procedure, in Windows operating system
EPROCESS states are constantly checked, if finding new EPROCESS occur in chained list, analyze process name therein, if
Process name is consistent with the process title of program to be analyzed, then labeled as monitoring process, monitors all performed by the monitoring process
Instruction.
Generated data markers are monitored data for User space when step S4, will perform the monitoring process;
Wherein, the User space data that are monitored include:The program to be analyzed, which performs, to be read registration table, reads browser
Cookie information reads system configuration, reads application program chat data, one kind into network address transmission data or operation
Corresponding returned data.
Step S5, it is used to carry out the API of data exchange described in described routine call to be analyzed between kernel state and User space
In the process, if corresponding input parameter is monitored data for the User space, the User space is monitored after data input
The kernel data of mapping is monitored data labeled as kernel state;
User mode codes by call between kernel state and User space for carry out the API of data exchange come to kernel state pass
As a kind of example, the method identification API Calls compared address can be used in delivery data.In Windows systems, api interface base
It is realized in the export function of operating system nucleus executable program, kernel executable file and the drive of operating system is loaded into system
During dynamic file, system automatically analyzes the derived table of the dynamic base, what the api interface identification according to corresponding to export function to be monitored
Function.When function is called, its input parameter is analyzed, if input parameter is monitored data for User space, this is inputted
The corresponding kernel state region of memory data of parameter are denoted as kernel state and are monitored data also labeled as monitored state.
It should be noted that in actual use, the api interface to be monitored can be configured according to specific requirements, so as to
The data handling procedure of analysis malicious code comprehensively.
Step S6, the data that are monitored to the User space and kernel state be monitored data carry out data flow follow-up analysis, from
And judge whether the program to be analyzed has malicious act.
Step S6 includes the following steps:
Step S61, the User space is obtained to be monitored the stain related datas of data;
Step S62, the kernel state is obtained to be monitored the stain related datas of data;
Step S63, the stain related data of data that is monitored to the User space and the kernel state are monitored number
According to stain related data carry out data flow follow-up analysis.
As a kind of example, the stain for the data that are monitored using tainting analysis method to the User space is related
Data and the kernel state be monitored data stain related data carry out data flow follow-up analysis.But it is understood that
He is also suitable for this by data flow tracing algorithm.
If stain related data and/or the institute of data that the method further includes step S7, the User space is monitored
It states the be monitored stain related data network AP I that is called of data of kernel state and is sent to remote address, then judge described to be analyzed
Program has malicious act, otherwise, then continues to monitor.
It should be noted that the mode of the judgement malicious act described in step S7 is only a kind of example, in actual use
It is not limited to this, other common modes for judging malicious act also can be used to determine whether there is malicious act.
The method further includes step S8, is set in the Protozoic code layer of the windows operating systems for recording quilt
The data structure of monitoring data.Wherein, the data that are monitored are monitored data and phase including be monitored data, kernel state of User space
Acquired data during the data-flow analysis of pass.
Based on above-mentioned method and step, when traffic propagation process is in single User space, then tracks User space and be monitored
Data are simultaneously analyzed;When traffic propagation process is in single kernel state, in similary tracking, kernel state, which is monitored, data and analyzes;When
The data flow Fabric Interface function of monitoring is called or instructs when going to corresponding function interface, the ginseng of analysis interface function
Whether number (including incoming memory pointer, registers etc.), the parameter that determining interface function uses are monitored number comprising User space
According to, if comprising, using the partial data as new starting point, the communication process of monitoring data stream in subsequent level.
The embodiment of the present invention also provides a kind of controller, and including memory and processor, the memory is stored with meter
The step of calculation machine program, described program can realize the method when being performed by the processor.
The embodiment of the present invention also provides a kind of computer readable storage medium, for storing computer instruction, described instruction
The step of the method being realized when being performed by a computer or processor.
The method of the invention can monitor User space, kernel state and be carried out by the API between family state and kernel state
Astride hierarchy data communication process, thus can analyze while there are user mode codes and the rogue program of kernel state code, it can
The completely processing procedure of monitoring data in a program has higher accuracy and better analysis ability.
The above described is only a preferred embodiment of the present invention, not make limitation in any form to the present invention, though
So the present invention is disclosed above with preferred embodiment, however is not limited to the present invention, any technology people for being familiar with this profession
Member, without departing from the scope of the present invention, when the technology contents using the disclosure above make a little change or modification
For the equivalent embodiment of equivalent variations, as long as being the content without departing from technical solution of the present invention, technical spirit according to the present invention
To any simple modification, equivalent change and modification that above example is made, in the range of still falling within technical solution of the present invention.
Claims (10)
1. a kind of astride hierarchy data flow method for tracing based on windows platforms, it is characterised in that:It is described to include the following steps:
It obtains and the API information for carrying out data exchange is used between windows operating system nucleus state and User space;
Program to be analyzed is run, performs the instruction of the program to be analyzed;
The process in the windows operating systems is traversed, obtains the process consistent with the program process title to be analyzed, mark
It is denoted as monitoring process;
Generated data markers are monitored data for User space when will perform the monitoring process;
It is used between kernel state and User space described in the routine call to be analyzed during the API for carrying out data exchange, if right
The input parameter answered is monitored data for the User space, then be monitored the User space the interior check figure mapped after data input
It is monitored data according to labeled as kernel state;
The data that are monitored to the User space and the kernel state data that are monitored carry out data flow follow-up analysis, so as to judge described treat
Whether analysis program has malicious act.
2. the astride hierarchy data flow method for tracing according to claim 1 based on windows platforms, it is characterised in that:
It is described obtain between windows operating system nucleus state and User space for carry out the API information of data exchange include with
Lower step:
The virtual machine image of windows operating systems is installed;
Kernel executable program and driver are obtained according to the virtual machine image of the windows operating systems;
It is obtained according to the kernel executable program and driver and is used to carry out data exchange between User space and kernel state
API information.
3. the astride hierarchy data flow method for tracing according to claim 1 based on windows platforms, it is characterised in that:
Include between the kernel state and User space for carrying out the API information of data exchange:The kernel state and User space it
Between for carry out data exchange API call address, input parameter, output parameter and return value.
4. the astride hierarchy data flow method for tracing according to claim 2 based on windows platforms, it is characterised in that:
The operation program to be analyzed, the instruction for performing the program to be analyzed include the following steps:
Start the virtual machine image of the windows operating systems using hardware simulator;
Program to be analyzed is run in the windows operating systems;
CPU performs the instruction of the program to be analyzed.
5. the astride hierarchy data flow method for tracing according to claim 1 based on windows platforms, it is characterised in that:
Process in the windows operating systems include performing the instruction generation of the program to be analyzed process record into
The instruction of journey and other programs in addition to the program to be analyzed in the execution windows operating systems is generated
Process record the process.
6. the astride hierarchy data flow method for tracing according to claim 1 based on windows platforms, it is characterised in that:
It is described to be monitored data to the User space and the kernel state data that are monitored carry out data flow follow-up analysis and include following step
Suddenly:
The User space is obtained to be monitored the stain related datas of data;
The kernel state is obtained to be monitored the stain related datas of data;
The stain related data of data that is monitored to the User space and the kernel state be monitored data stain it is related
Data carry out data flow follow-up analysis.
7. the astride hierarchy data flow method for tracing according to claim 6 based on windows platforms, it is characterised in that:
The stain related data for the data that are monitored using tainting analysis method to the User space and the kernel state
The stain related data of monitored data carries out data flow follow-up analysis.
8. the astride hierarchy data flow method for tracing according to claim 7 based on windows platforms, it is characterised in that:
The method further includes, the stain related data of data and/or the kernel state quilt if the User space is monitored
The stain related data of the monitoring data network AP I that is called is sent to remote address, then judges that the program to be analyzed has malice
Behavior occurs.
9. the astride hierarchy data flow method for tracing based on windows platforms according to any one in claim 1-8,
It is characterized in that:
The method further includes, and sets to record monitored data in the Protozoic code layer of the windows operating systems
Data structure.
10. the astride hierarchy data flow method for tracing based on windows platforms according to any one in claim 1-8,
It is characterized in that:
The User space data that are monitored include:The program to be analyzed, which performs, to be read registration table, reads browser cookie letters
Breath reads system configuration, reads corresponding to application program chat data, one kind into network address transmission data or operation
Returned data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810148627.XA CN108229172A (en) | 2018-02-13 | 2018-02-13 | Astride hierarchy data flow method for tracing based on windows platforms |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810148627.XA CN108229172A (en) | 2018-02-13 | 2018-02-13 | Astride hierarchy data flow method for tracing based on windows platforms |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108229172A true CN108229172A (en) | 2018-06-29 |
Family
ID=62661909
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810148627.XA Pending CN108229172A (en) | 2018-02-13 | 2018-02-13 | Astride hierarchy data flow method for tracing based on windows platforms |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108229172A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112269536A (en) * | 2020-10-16 | 2021-01-26 | 苏州浪潮智能科技有限公司 | Method and device for optimizing storage software system and computer readable storage medium |
CN114115746A (en) * | 2021-12-02 | 2022-03-01 | 北京乐讯科技有限公司 | Full link tracking device of user mode storage system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102054149A (en) * | 2009-11-06 | 2011-05-11 | 中国科学院研究生院 | Method for extracting malicious code behavior characteristic |
CN102622536A (en) * | 2011-01-26 | 2012-08-01 | 中国科学院软件研究所 | Method for catching malicious codes |
US20140096250A1 (en) * | 2012-09-28 | 2014-04-03 | Kaspersky Lab Zao | System and method for countering detection of emulation by malware |
CN104715190A (en) * | 2015-02-03 | 2015-06-17 | 中国科学院计算技术研究所 | Method and system for monitoring program execution path on basis of deep learning |
CN106599681A (en) * | 2016-12-22 | 2017-04-26 | 北京邮电大学 | Malicious program characteristic extraction method and system |
CN107526966A (en) * | 2016-06-21 | 2017-12-29 | 中国科学院软件研究所 | A kind of compound tainting method for tracing of Android platform |
-
2018
- 2018-02-13 CN CN201810148627.XA patent/CN108229172A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102054149A (en) * | 2009-11-06 | 2011-05-11 | 中国科学院研究生院 | Method for extracting malicious code behavior characteristic |
CN102622536A (en) * | 2011-01-26 | 2012-08-01 | 中国科学院软件研究所 | Method for catching malicious codes |
US20140096250A1 (en) * | 2012-09-28 | 2014-04-03 | Kaspersky Lab Zao | System and method for countering detection of emulation by malware |
CN104715190A (en) * | 2015-02-03 | 2015-06-17 | 中国科学院计算技术研究所 | Method and system for monitoring program execution path on basis of deep learning |
CN107526966A (en) * | 2016-06-21 | 2017-12-29 | 中国科学院软件研究所 | A kind of compound tainting method for tracing of Android platform |
CN106599681A (en) * | 2016-12-22 | 2017-04-26 | 北京邮电大学 | Malicious program characteristic extraction method and system |
Non-Patent Citations (1)
Title |
---|
倪涛: "Windows内核漏洞检测与利用关键技术研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112269536A (en) * | 2020-10-16 | 2021-01-26 | 苏州浪潮智能科技有限公司 | Method and device for optimizing storage software system and computer readable storage medium |
CN114115746A (en) * | 2021-12-02 | 2022-03-01 | 北京乐讯科技有限公司 | Full link tracking device of user mode storage system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102622536B (en) | Method for catching malicious codes | |
US9703681B2 (en) | Performance optimization tip presentation during debugging | |
US8683444B1 (en) | System and method of debugging multi-threaded processes | |
US7707551B2 (en) | Cross-platform software development with a software development peripheral | |
KR102017756B1 (en) | Apparatus and method for detecting abnormal behavior | |
KR101519845B1 (en) | Method For Anti-Debugging | |
US9436449B1 (en) | Scenario-based code trimming and code reduction | |
EP2784716A1 (en) | Suspicious program detection | |
CA3152837A1 (en) | Simulator detection method and system | |
CN106575243A (en) | Hypervisor-hosted virtual machine forensics | |
CN107102886A (en) | The detection method and device of Android simulator | |
CN105335283A (en) | Application testing method and device in terminal equipment | |
CN102722672B (en) | A kind of method and device detecting running environment authenticity | |
US9921827B1 (en) | Developing versions of applications based on application fingerprinting | |
CN105074671A (en) | Method and system for detecting concurrency programming errors in kernel modules and device drivers | |
CN106096391B (en) | A kind of course control method and user terminal | |
US10546509B2 (en) | Evaluating user contribution in collaborative environments | |
KR20130015922A (en) | Method and apparatus for input password in using game | |
CN109726601A (en) | The recognition methods of unlawful practice and device, storage medium, computer equipment | |
CN110493074B (en) | Method and system for testing server and client | |
CN107741907A (en) | With reference to bottom instruction and the simulator detection method and device of system information | |
CN108229172A (en) | Astride hierarchy data flow method for tracing based on windows platforms | |
Srivastava et al. | CamForensics: Understanding visual privacy leaks in the wild | |
US10279266B2 (en) | Monitoring game activity to detect a surrogate computer program | |
CN113209630B (en) | Frame grabbing defense method and device for game application, storage medium and computer equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180629 |